The European Data Protection Board (EDPB) has published long-anticipated draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR). The guidelines will in particular be welcome to controllers and processors outside of the EU when assessing whether the GDPR applies. The guidelines are open for public consultation until 18 January 2019, after which the final version will be issued.
I. "Establishment" Criterion - Art. 3(1)
The EDPB confirms that "establishment" requires both a degree of stability of the arrangement, and the effective exercise of activities in the EU:
- A "stable arrangement" in the EU can be fulfilled even if just a single employee or agent acts with a sufficient degree of stability. However, the mere fact that an employee resides in the EU and works for a non-EU company does not automatically result in an "establishment" being created (see example 13).
- In addition to an "establishment" in the EU, there must be a link between the activity the data is being processed for and activities of the establishment in the EU. The nature of any such link is key in determining whether the GDPR applies under Art. 3(1), as such link must be "inextricable." One key aspect for an "inextricable link" may be the raising of revenue in the EU (which triggers the application of the GDPR to the non-EU entity).
- The GDPR can apply to non-EU data subjects if the processing is undertaken in the context of an establishment in the EU;
- If a controller outside of the EU uses a processor located in the EU, the processor is not an "establishment" of the controller and this fact is not, by itself, sufficient for the GDPR to apply directly to the controller. This is relevant to non-EU data controllers which outsource data processing to the EU. However, a processor located in the EU is subject to the processor requirements of the GDPR in relation to its processing activities, including the requirements for international data transfers under Art. 44 et seq. GDPR. Hence, the processor must put in place appropriate safeguards (e.g. EU Model Clauses) to transfer the personal data back to the non-EU controller. Processors will have difficulties to comply with this requirement as no "Processor to Controller" EU Model Clauses currently exist. Further, limiting the services to controllers which are either in a country with an adequacy decision, or are Privacy Shield certified, is not an option from a business perspective. The EU Commission should adopt EU Model Clauses for this scenario urgently;
- Having a website accessible in the EU is not, by itself, sufficient to create an "establishment" in the EU.
The guidelines confirm that:
II. Offering Goods/Services and Monitoring Behavior - "Targeting" Criterion under Art. 3(2)
The guidelines clarify that "targeting" is required under both - Art. 3(2)(a) – Offering Goods or Services and Art. 3(2)(b) – Monitoring Behaviour. Although the guidelines specifically mention the criterion of "targeting" individuals in the EU only in respect to the offering of goods or services, the EDPB considers targeting to be an integral part of "monitoring." In the absence of targeting, mere processing of personal data of individuals in the EU is not, by itself, sufficient for the GDPR to apply under Art. 3(2).
The EDPB confirmed that Art. 3(2) GDPR requires the individual to be in the EU – citizenship or residence in the EU is irrelevant. Whether an individual is in the EU must be assessed at the time when the activity (e.g. the offer or monitoring) takes place.
The EDPB thus recommends a twofold approach to determine whether the processing relates to: (a) data subjects in the EU; and (b) offering goods or services or to monitoring data subject's behaviour in the EU in a targeted manner as follows:
1. The "Targeting Criterion"
To determine whether the "Targeting" criterion is fulfilled, the guidelines provide various factors which have been adopted from European consumer protection law and which, in combination, may amount to targeting data subjects in the EU. These include, inter alia: (a) paying a search engine to provide a referencing service to facilitate access to its site by consumers in the EU, or launching marketing and advertisement campaigns directed at an EU country; (b) the international nature of the activity, such as certain tourist activities; (c) use of language/currency other than that generally used in the trader's country, especially the language/currency of one or more EU Member States; and (d) offering the delivery of goods in EU member states. The guidelines note that the mere accessibility of a website in the Union is not sufficient to amount to targeting.
2. The Offering of Goods/Services - Art. 3(2)(a)
The offering of services also includes the offering of "information society services", which are defined as "any information society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of the services."
The goods or services must be offered to a data subject, i.e. to an individual. In the employment context, a non-EU company with employees working remotely from, and residing, in an EU country does not offer services to such EU-based employees by making salary payments, hence the non-EU company with EU-based employees is not subject to the GDPR as per Art. 3 GDPR (see example 13) for those processing activities.
3. Monitoring Behavior - Art. 3(2)(b) GDPR
The guidelines state that although the recitals to the GDPR mention monitoring in relation to tracking behaviour on the internet, tracking through other technologies or networks involving personal data processing should also be taken into account when deciding whether the processing amounts to "monitoring behaviour" and provides examples such as wearable and smart devices.
The guidelines clarify that the term "monitoring" in this context requires a specific purpose for the collection and reuse of the relevant data about the individual's behaviour in the EU. Sensibly, the EDPB confirms that online collection or analysis of personal data of individuals in the EU does not automatically amount of "monitoring" for the purposes of Art. 3(2) of the GDPR. The purpose of the processing and any subsequent behavioural analysis or profiling in relation to that personal data is relevant.
The guidelines expressly require controllers or processors outside of the EU and subject to the GDPR pursuant to Art. 3(2) to appoint a representative under Art. 27. It follows that controllers or processors subject to the GDPR under Art. 3(1) are not required to appoint a representative. The EDPB also confirms that the appointment of a representative does not result in an "establishment", and thus does not trigger the application of the GDPR through Art. 3(1).
Furthermore the guidelines state that being a representative under Art. 27 is not compatible with the role of an external DPO under the GDPR, because (a) the DPO may not receive any instructions regarding the exercise of his/her tasks and must be independent, whereas the representative is subject to a mandate and thus to instructions; and (b) the combination of both roles might result in a conflict of interest.
In terms of enforcement action against representatives, although the EDPB acknowledges that the controller or processor subject to the GDPR is primarily liable for any enforcement action, the intention is to enable enforcement (including fines) against a representative in the same manner as against a controller or processor.
Despite the guidelines providing certain clarity, there are areas where clarification or guidance would have been useful. For example:
- Scenarios where a non-EU parent company receives personal data of employees of an EU affiliate raise the issue (i) whether the affiliate qualifies in this context as an "establishment" of the non-EU parent entity; and/or (ii) whether the offering of benefits to EU employees by the non-EU parent company triggers the GDPR under Art. 3 (2)(a).
- The guidelines also only implies that a processor located outside of the EU and which provides services to a legal entity acting as the controller is not directly subject to the GDPR. A common sense interpretation would be that the GDPR does not apply directly to the processor outside of the EU as the processor offers its services to a legal entity. However, the legal entity as a controller is still required under Art. 28 to conclude a data processing agreement with the non-EU processor.
- Regarding the appointment of representatives, the guidelines does not clarify whether the term “represent” means that the representative must receive a power of attorney to represent the controller or processor. If one is required, it is unclear how far reaching the power of attorney of the representative must be. If one is not required, it is unclear whether this means that the representative acts as a “communicating messenger” only. One interpretation (in particular for tax reasons) would be that it is not necessary that the representative has (full) power of attorney, e.g. to legally bind the non-EU company.